{“lastseen”:”2026-02-12T16:05:07″,”description”:”Go has indisputably the best package integrity story of any programming language ecosystem. The Go Checksum Database guarantees that every Go client in the world is using the same source for a given Go module and version, forever.\\n\\nIt works despite the decentralized nature of Go modules, which can be fetched directly from their origin based on the import path. (For example, you can fetch v1.2.3 of `github.com\/example\/mod` by cloning the git repository and exporting the v1.2.3 tag. `GOPROXY=direct` forces this.1)\\n\\nThe Checksum Database stores the cryptographic hash of a module version the first time it is used across the ecosystem, and then provides that same checksum to every Go client going forward. If e.g. a git tag were force-pushed or a code host were to try to serve targeted versions to some clients, the `go` tool would notice the mismatch and fail the fetch.\\n\\nThis is vastly more practical than requiring module authors to manage keys, but provides comparable security, because the author themselves can verify the checksum in the Checksum Database matches the one they developed. Moreover, the Checksum Database is a transparency log, which prevents even the database operator (i.e. Google) from falsifying or hiding entries.\\n\\nHowever, any time we **read code directly from the code host** we introduce a weak link in this chain. For example, there is no guarantee that the code displayed at `https:\/\/github.com\/example\/mod\/blob\/v1.2.3\/exp.go` is the actual contents of `exp.go` from v1.2.3 of module `github.com\/example\/mod`: GitHub allows force-pushing git tags and even built its recommended GitHub Actions workflows on top of mutable tags.\\n\\nLast year this was taken advantage of to make a classic typosquatting attack harder to identify. A fake BoltDB module was published with malicious code, and then innocent code was force-pushed to GitHub. Some commenters described this as exploiting the Go Modules Mirror\u2019s cache, but it is better understood as exploiting the natural lack of verification in the GitHub web interface, which doesn\u2019t show the authentic (and in this case malicious) source of a module version, as used by actual Go tooling.\\n\\nThe solution when reviewing modules locally is to use a command like\\n \\n \\n cd $(go mod download -json filippo.io\/age@v1.3.1 | jq -r .Dir)\\n \\n\\nto fetch the correct source.2 We are also working on a `go mod verify -tag` command to verify the contents of a local git repository against the Go Checksum Database, which can also be used by module authors to check that the contents of the Checksum Database are correct.\\n\\nHowever, pkg.go.dev still links to unverified code hosts, and clicking on pkg.go.dev source links is very convenient.\\n\\nRuss Cox made a simple service to view the source of a Go module at go-mod-viewer.appspot.com.\\n\\npkg.geomys.dev is a new similar service with optional syntax highlighting, line and line range linking, multiple fonts, automatic dark mode, and a file tree and module versions browser.\\n\\nYou can use it manually by replacing `go.dev` with `geomys.dev` in any pkg.go.dev URL, or you can install the companion browser extension for Chrome and Firefox, which replaces links to code hosts in pkg.go.dev pages with links to pkg.geomys.dev.\\n\\n \\n\\nThe service works by making HTTP Range requests directly to the module version\u2019s zip file, and decompressing the file in the browser, without having to fetch the whole archive. Once proxy.golang.org fixes their CORS configuration it will work without any Geomys backend.\\n\\nCurrently, it trusts the Google Modules Proxy to serve the correct zip files, without checking the transparency log proof. I plan to implement optional proof checking once proxy.golang.org CORS is fixed, including third-party gossip. Unfortunately, checking the proof does require fetching the whole module version\u2019s zip archive to compute the dirhash, which is included in the Checksum Database (and in go.sum).\\n\\nFor updates, follow me on Bluesky at @filippo.abyssdomain.expert or on Mastodon at @filippo@abyssdomain.expert.\\n\\n## The picture\\n\\nI recently went to Paris and found the Tour Eiffel elevator to be more fascinating than the tower itself. Whatever that says about me.\\n\\n\\n\\nMy work is made possible by Geomys, an organization of professional Go maintainers, which is funded by Ava Labs, Teleport, Tailscale, and Sentry. Through our retainer contracts they ensure the sustainability and reliability of our open source maintenance work and get a direct line to my expertise and that of the other Geomys maintainers. (Learn more in the Geomys announcement.) Here are a few words from some of them!\\n\\nTeleport \u2014 For the past five years, attacks and compromises have been shifting from traditional malware and security breaches to identifying and compromising valid user accounts and credentials with social engineering, credential theft, or phishing. Teleport Identity is designed to eliminate weak access patterns through access monitoring, minimize attack surface with access requests, and purge unused permissions via mandatory access reviews.\\n\\nAva Labs \u2014 We at Ava Labs, maintainer of AvalancheGo (the most widely used client for interacting with the Avalanche Network), believe the sustainable maintenance and development of open source cryptographic protocols is critical to the broad adoption of blockchain technology. We are proud to support this necessary and impactful work through our ongoing sponsorship of Filippo and his team.\\n\\n* * *\\n\\n 1. I generally recommend against `GOPROXY=direct` and actually configure `GOPROXY=proxy.golang.org` to remove the direct fallback and reduce the attack surface of running git clone on potentially adversarial repositories. That\u2019s besides the point of this article, though: whether you fetch direct or through a proxy, you will still always get the same contents authenticated by the sumdb (or an error). \u21a9\\n\\n 2. If you use a code agent, you can add the following line to your AGENTS.md or CLAUDE.md: `To see source files from a dependency, or to answer questions about a dependency, run `go mod download -json MODULE` and use the returned `Dir` path to read the files.` \u21a9”,”published”:”2026-02-12T13:48:03″,”modified”:”2026-02-12T13:48:03″,”type”:”filippoio”,”title”:”Inspecting the Source of Go Modules”,”source”:””,”references”:””,”id”:”FILIPPOIO:4C3AC46D92115FA237F1DB3D5895A1B6″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/words.filippo.io\/go-source\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-12T16:05:07″,”description”:”Go has indisputably the best package integrity story of any programming language ecosystem. The Go Checksum Database guarantees that every Go client in the world…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,162,13,33,7,11,5],"class_list":["post-40601","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-filippoio","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n